brakeman 1.9.4 → 1.9.5

checksums.yaml

@@ -1,7 +1,7 @@
 --- 
 SHA512: 
-  metadata.gz: b29913808e5de71c6f0e13ab91142f730fdce339829e8fbfc91deca3eb0ce95eb24ce2e58e9fe576f121bce7f63a2015aa84866ac2bb41d07a266081c8e76293
-  data.tar.gz: 81669ba7654b7ced4214430613064484ba5fc7ea6a331ee31dd8aeea294621fda75b23b3caee0d1effec0b3fd67c7f636ee5e0868e17d337b6ac4a180e305db6
+  metadata.gz: 5fec83c0cb268acf3954ea08df30a173ad10b3121d4d30d18c1670de66cf17d01fde3d0649c28f5c5570938d9d4a13368af819f4d580800441c1cdf4b4873cd2
+  data.tar.gz: ff597aced590649b3a90cf2f895407f9e347a8a81b1f34337e2eff32310958c34bbe711985b70ce58f6f91eb658bc8d6db533819b881fb4d3ec9fa3842cb751e
 SHA1: 
-  metadata.gz: 1f0ed0d4abb525abf8c95b72133ea5c304325075
-  data.tar.gz: 48837c8bdab262f44bf27c8962e13d4c9808589d
+  metadata.gz: b4735612d0032bfd8a72f0feb285ee4e704a3a1a
+  data.tar.gz: 1898b18fbf38409a98ba3b5517f3896b057872c9

data/CHANGES

@@ -1,3 +1,18 @@
+# 1.9.5
+
+ * Add check for unsafe symbol creation
+ * Do not warn on mass assignment with `slice`/`only`
+ * Do not warn on session secret if in `.gitignore`
+ * Fix scoping for blocks and block arguments
+ * Fix error when modifying blocks in templates
+ * Fix session secret check for Rails 4
+ * Fix crash on `before_filter` outside controller
+ * Fix `Sexp` hash cache invalidation
+ * Respect `quiet` option in configuration file
+ * Convert assignment to simple `if` expressions to `or`
+ * More fixes for assignments inside branches
+ * Pin to ruby2ruby version 2.0.3
+
 # 1.9.4
  
  * Add check for CVE-2013-1854

data/README.md

@@ -26,6 +26,12 @@ Using RubyGems:
 
     gem install brakeman
 
+Using Bundler, add to development group in Gemfile:
+
+    group :development do
+      gem 'brakeman', :require => false
+    end
+
 From source:
 
     gem build brakeman.gemspec

data/lib/brakeman.rb

@@ -65,7 +65,12 @@ module Brakeman
 
     options[:app_path] = File.expand_path(options[:app_path])
 
-    options = load_options(options[:config_file]).merge! options
+    file_options = load_options(options[:config_file])
+
+    options = file_options.merge options
+
+    options[:quiet] = true if options[:quiet].nil? && file_options[:quiet]
+
     options = get_defaults.merge! options
     options[:output_formats] = get_output_formats options
 
@@ -89,9 +94,9 @@ module Brakeman
   def self.load_options custom_location
     #Load configuration file
     if config = config_file(custom_location)
-      notify "[Notice] Using configuration in #{config}"
       options = YAML.load_file config
       options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
+      notify "[Notice] Using configuration in #{config}" unless options[:quiet]
       options
     else
       {}

data/lib/brakeman/checks/check_link_to.rb

@@ -23,14 +23,10 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     @known_dangerous = []
     #Ideally, I think this should also check to see if people are setting
     #:escape => false
-    methods = tracker.find_call :target => false, :method => :link_to
-
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
 
-    methods.each do |call|
-      process_result call
-    end
+    tracker.find_call(:target => false, :method => :link_to).each {|call| process_result call}
   end
 
   def process_result result
@@ -61,68 +57,68 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     end
   end
 
+  # Check the argument for possible xss exploits
   def check_argument result, exp
-    arg = process exp
-
-    if input = has_immediate_user_input?(arg)
-      case input.type
-      when :params
-        message = "Unescaped parameter value in link_to"
-      when :cookies
-        message = "Unescaped cookie value in link_to"
-      else
-        message = "Unescaped user input value in link_to"
-      end
+    argument = process(exp)
+    !check_user_input(result, argument) && !check_method(result, argument) && !check_matched(result, @matched)
+  end
 
-      add_result result
-      warn :result => result,
-        :warning_type => "Cross Site Scripting",
-        :warning_code => :xss_link_to,
-        :message => message,
-        :user_input => input.match,
-        :confidence => CONFIDENCE[:high],
-        :link_path => "link_to"
-
-    elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
-      method = match.method
-
-      unless IGNORE_MODEL_METHODS.include? method
-        add_result result
-
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-          confidence = CONFIDENCE[:high]
-        else
-          confidence = CONFIDENCE[:med]
-        end
-
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-        :warning_code => :xss_link_to,
-          :message => "Unescaped model attribute in link_to",
-          :user_input => match,
-          :confidence => confidence,
-          :link_path => "link_to"
-      end
+  # Check we should warn about the user input
+  def check_user_input(result, argument)
+    input = has_immediate_user_input?(argument)
+    return false unless input
+
+    case input.type
+    when :params
+      message = "Unescaped parameter value in link_to"
+    when :cookies
+      message = "Unescaped cookie value in link_to"
+    else
+      message = "Unescaped user input value in link_to"
+    end
 
-    elsif @matched
-      if @matched.type == :model and not tracker.options[:ignore_model_output]
-        message = "Unescaped model attribute in link_to"
-      elsif @matched.type == :params
-        message = "Unescaped parameter value in link_to"
-      end
+    warn_xss(result, message, input.match, CONFIDENCE[:high])
+  end
 
-      if message
-        add_result result
+  # Check if we should warn about the specified method
+  def check_method(result, argument)
+    return false if tracker.options[:ignore_model_output]
+    match = has_immediate_model?(argument)
+    return false unless match
+    method = match.method
+    return false if IGNORE_MODEL_METHODS.include? method
+
+    confidence = CONFIDENCE[:med]
+    confidence = CONFIDENCE[:high] if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+    warn_xss(result, "Unescaped model attribute in link_to", match, confidence)
+  end
 
-        warn :result => result,
-          :warning_type => "Cross Site Scripting",
-          :warning_code => :xss_link_to,
-          :message => message,
-          :user_input => @matched.match,
-          :confidence => CONFIDENCE[:med],
-          :link_path => "link_to"
-      end
+  # Check if we should warn about the matched result
+  def check_matched(result, matched = nil)
+    return false unless matched
+    message = nil
+
+    if matched.type == :model and not tracker.options[:ignore_model_output]
+      message = "Unescaped model attribute in link_to"
+    elsif matched.type == :params
+      message = "Unescaped parameter value in link_to"
     end
+
+    message ? warn_xss(result, message, @matched.match, CONFIDENCE[:med]) : false
+  end
+
+  # Create a warn for this xss
+  def warn_xss(result, message, user_input, confidence)
+    add_result(result)
+    warn :result => result,
+      :warning_type => "Cross Site Scripting",
+      :warning_code => :xss_link_to,
+      :message => message,
+      :user_input => user_input,
+      :confidence => confidence,
+      :link_path => "link_to"
+
+    true
   end
 
   def process_call exp
@@ -135,16 +131,12 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     return if @matched
 
     target = exp.target
-    if sexp? target
-      target = process target.dup
-    end
+    target = process target.dup if sexp? target
 
     #Bare records create links to the model resource,
     #not a string that could have injection
     #TODO: Needs test? I think this is broken?
-    if model_name? target and context == [:call, :arglist]
-      return exp
-    end
+    return exp if model_name? target and context == [:call, :arglist]
 
     super
   end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -59,7 +59,11 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
       elsif input = include_user_input?(call.arglist)
-        if not hash? call.first_arg and not attr_protected
+        first_arg = call.first_arg
+
+        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+          return
+        elsif not node_type? first_arg, :hash and not attr_protected
           confidence = CONFIDENCE[:high]
           user_input = input.match
         else

data/lib/brakeman/checks/check_session_settings.rb

@@ -23,12 +23,10 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
     check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb"
 
-    if tracker.initializers["session_store.rb"]
-      process tracker.initializers["session_store.rb"]
-    end
-
-    if tracker.initializers["secret_token.rb"]
-      process tracker.initializers["secret_token.rb"]
+    ["session_store.rb", "secret_token.rb"].each do |file|
+      if tracker.initializers[file] and not ignored? file
+        process tracker.initializers[file]
+      end
     end
   end
 
@@ -37,13 +35,16 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #
   #and App::Application.config.secret_token =
   #in Rails 3.x apps
+  #
+  #and App::Application.config.secret_key_base =
+  #in Rails 4.x apps
   def process_attrasgn exp
     if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
       check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
     end
 
     if tracker.options[:rails3] and settings_target?(exp.target) and
-      exp.method == :secret_token= and string? exp.first_arg
+      (exp.method == :secret_token= or exp.method == :secret_key_base=) and string? exp.first_arg
 
       warn_about_secret_token exp, "#{tracker.options[:app_path]}/config/initializers/secret_token.rb"
     end
@@ -132,4 +133,14 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       :line => value.line,
       :file => file
   end
+
+  def ignored? file
+    if @app_tree.exists? ".gitignore"
+      input = @app_tree.read(".gitignore")
+
+      input.include? file
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  @description = "Checks for versions with ActiveRecord symbol denial of service" 
+  @description = "Checks for versions with ActiveRecord symbol denial of service, or code with a similar vulnerability"
 
   def run_check
     fix_version = case
@@ -14,10 +14,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       when version_between?('3.2.0', '3.2.12')
         '3.2.13'
       else
-        return
+        nil
       end
 
-    unless active_record_models.empty?
+    if fix_version && active_record_models.any?
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2013_1854,
         :message => "Rails #{tracker.config[:rails_version]} has a denial of service vulnerability in ActiveRecord: upgrade to #{fix_version} or patch",
@@ -25,5 +25,52 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
         :file => gemfile_or_environment,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
     end
+
+    tracker.find_call(:methods => [:to_sym, :literal_to_sym], :nested => true).each do |result|
+      check_unsafe_symbol_creation(result)
+    end
+
   end
+
+  def check_unsafe_symbol_creation result
+
+    call = result[:call]
+    if result[:method] == :to_sym
+      args = [call.target]
+    else
+      args = call.select { |e| sexp? e }
+    end
+
+    if input = args.map{ |arg| has_immediate_user_input?(arg) }.compact.first
+      confidence = CONFIDENCE[:high]
+    elsif input = args.map{ |arg| include_user_input?(arg) }.compact.first
+      confidence = CONFIDENCE[:med]
+    end
+
+    if confidence
+      input_type = case input.type
+                   when :params
+                     "parameter value"
+                   when :cookies
+                     "cookies value"
+                   when :request
+                     "request value"
+                   when :model
+                     "model attribute"
+                   else
+                     "user input"
+                   end
+
+      message = "Symbol conversion from unsafe string (#{input_type})"
+
+      warn :result => result,
+        :warning_type => "Denial of Service",
+        :warning_code => :unsafe_symbol_creation,
+        :message => message,
+        :user_input => input.match,
+        :confidence => confidence
+    end
+
+  end
+
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -19,7 +19,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def initialize tracker = nil
     super()
     @env = SexpProcessor::Environment.new
-    @inside_if = []
+    @inside_if = false
     @ignore_ifs = nil
     @exp_context = []
     @current_module = nil
@@ -167,6 +167,41 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_call_with_block exp
+    exp[1] = process exp.block_call
+
+    env.scope do
+      exp.block_args.each do |e|
+        #Force block arg(s) to be local
+        if node_type? e, :lasgn
+          env.current[Sexp.new(:lvar, e.lhs)] = e.rhs
+        elsif node_type? e, :masgn
+          e[1..-1].each do |var|
+            local = Sexp.new(:lvar, var)
+            env.current[local] = local
+          end
+        elsif e.is_a? Symbol
+          local = Sexp.new(:lvar, e)
+          env.current[local] = local
+        else
+          raise "Unexpected value in block args: #{e.inspect}"
+        end
+      end
+
+      block = exp.block
+
+      if block? block
+        process_all! block
+      else
+        exp[3] = process block
+      end
+    end
+
+    exp
+  end
+
+  alias process_iter process_call_with_block
+
   #Process a new scope.
   def process_scope exp
     env.scope do
@@ -232,8 +267,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_gasgn exp
     match = Sexp.new(:gvar, exp.lhs)
     value = exp.rhs = process(exp.rhs)
+    value.line = exp.line
 
-    set_value match, value, exp.line
+    set_value match, value
 
     exp
   end
@@ -244,7 +280,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     match = Sexp.new(:cvar, exp.lhs)
     value = exp.rhs = process(exp.rhs)
 
-    set_value match, value, exp.line
+    set_value match, value
 
     exp
   end
@@ -265,7 +301,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       value = exp.second_arg = process(value_arg)
       match = Sexp.new(:call, target, :[], index)
 
-      set_value match, value, exp.line
+      set_value match, value
 
       if hash? target
         env[tar_variable] = hash_insert target.deep_clone, index, value
@@ -275,7 +311,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       #This is what we'll replace with the value
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
-      set_value match, value, exp.line
+      set_value match, value
     else
       raise "Unrecognized assignment: #{exp}"
     end
@@ -377,34 +413,69 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
     condition = process exp.condition
 
+    #Check if a branch is obviously going to be taken
     if true? condition
       no_branch = true
-      exps = [exp.then_clause]
+      exps = [exp.then_clause, nil]
     elsif false? condition
       no_branch = true
-      exps = [exp.else_clause]
+      exps = [nil, exp.else_clause]
     else
       no_branch = false
       exps = [exp.then_clause, exp.else_clause]
     end
 
-    exps.each do |e|
-      @inside_if << [] unless no_branch or @ignore_ifs
-
-      if sexp? e
-        if e.node_type == :block
-          process_default e #avoid creating new scope
-        else
-          process e
+    if @ignore_ifs or no_branch
+      exps.each_with_index do |branch, i|
+        exp[2 + i] = process_if_branch branch
+      end
+    else
+      was_inside = @inside_if
+      @inside_if = true
+
+      branch_scopes = []
+      exps.each_with_index do |branch, i|
+        scope do
+          branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
+          exp[branch_index] = process_if_branch branch
+          branch_scopes << env.current
         end
       end
 
-      @inside_if.pop unless no_branch or @ignore_ifs
+      @inside_if = was_inside
+
+      branch_scopes.each do |s|
+        merge_if_branch s
+      end
     end
 
     exp
   end
 
+  def process_if_branch exp
+    if sexp? exp
+      if block? exp
+        process_default exp
+      else
+        process exp
+      end
+    end
+  end
+
+  def merge_if_branch branch_env
+    branch_env.each do |k, v|
+      current_val = env[k]
+
+      if current_val
+        unless same_value? current_val, v
+          env[k] = Sexp.new(:or, current_val, v).line(k.line || -2)
+        end
+      else
+        env[k] = v
+      end
+    end
+  end
+
   #Process single integer access to an array.
   #
   #Returns the value inside the array, if possible.
@@ -601,12 +672,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     nil
   end
 
-  #Return true if this value should be "branched" - i.e. converted into an or
-  #expression with two or more values
-  def branch_value? exp
-    not (@inside_if.empty? or @inside_if.last.include? exp)
-  end
-
   #Return true if lhs == rhs or lhs is an or expression and
   #rhs is one of its values
   def same_value? lhs, rhs
@@ -619,32 +684,41 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def value_from_if exp
+    if block? exp.else_clause or block? exp.then_clause
+      #If either clause is more than a single expression, just use entire
+      #if expression for now
+      exp
+    elsif exp.else_clause.nil?
+      exp.then_clause
+    elsif exp.then_clause.nil?
+      exp.else_clause
+    else
+      condition = exp.condition
+
+      if true? condition
+        exp.then_clause
+      elsif false? condition
+        exp.else_clause
+      else
+        Sexp.new(:or, exp.then_clause, exp.else_clause).line(exp.line)
+      end
+    end
+  end
+
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same
   #if branch.
-  def set_value var, value, line = nil
-    unless @ignore_ifs
-      current_val = env[var]
-      current_if = @inside_if.last
-
-      if branch_value? var and current_val = env[var]
-        unless same_value? current_val, value
-          env[var] = Sexp.new(:or, current_val, value).line(line || var.line || -2)
-          current_if << var
-        end
-      elsif current_if and current_if.include?(var) and node_type?(current_val, :or)
-        #Replace last value instead of creating another or
-        current_val.rhs = value
-      else
-        env[var] = value
+  def set_value var, value
+    if node_type? value, :if
+      value = value_from_if(value)
+    end
 
-        if current_if
-          current_if << var
-        end
-      end
-    else
+    if @ignore_ifs or not @inside_if
       env[var] = value
+    else
+      env.current[var] = value
     end
   end